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Abstract 

Increasing use of computers and networks in business, government, 
recreation, and almost all aspects of daily life has led to a proliferation of 
online sensitive data about individuals and organizations. Consequently, 
concern about the privacy of these data has become a top priority, par- 
ticularly those data that are created and used in electronic commerce. 
There have been many formulations of privacy and, unfortunately, many 
negative results about the feasibility of maintaining privacy of sensitive 
data in realistic networked environments. We formulate communication- 
complexity-based definitions, both worst-case and average-case, of a prob- 
lem's privacy-approximation ratio. We use our definitions to investigate 
the extent to which approximate privacy is achievable in two standard 
problems: the 2""* -price Vickrey auction ,22 and the millionaires prob- 
lem of Yao^. 

For both the 2"''-price Vickrey auction and the millionaires problem, 
we show that not only is perfect privacy impossible or infeasibly costly 
to achieve, but even close approximations of perfect privacy suffer from 
the same lower bounds. By contrast, we show that, if the values of the 
parties are drawn uniformly at random from {0, . . . , 2*^ — 1}, then, for 
both problems, simple and natural communication protocols have privacy- 
approximation ratios that are linear in k {i.e., logarithmic in the size of 
the space of possible inputs). We conjecture that this improved privacy- 
approximation ratio is achievable for any probability distribution. 
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1 Introduction 



Increasing use of computers and networks in business, government, recreation, 
and almost all aspects of daily life has led to a proliferation of online sensitive 
data about individuals and organizations. Consequently, the study of privacy 
has become a top priority in many disciplines. Computer scientists have con- 
tributed many formulations of the notion of privacy-preserving computation that 
have opened new avenues of investigation and shed new light on some well stud- 
ied problems. 

One good example of a new avenue of investigation opened by concern about 
privacy can be found in auction design, which was our original motivation for 
this work. Traditional auction theory is a central research area in Economics, 
and one of its main questions is how to incent bidders to behave truthfully, i.e., 
to reveal private information that auctioneers need in order to compute optimal 
outcomes. More recently, attention has turned to the complementary goal of 
enabling bidders not to reveal private information that auctioneers do not need 
in order to compute optimal outcomes. The importance of bidders' privacy, 
like that of algorithmic efficiency, has become clear now that many auctions 
are conducted online, and Computer Science has become at least as relevant as 
Economics. 

Our approach to privacy is based on communication complexity. Although 
originally motivated by agents' privacy in mechanism design, our definitions and 
tools can be applied to distributed function computation in general. Because 
perfect privacy can be impossible or infeasibly costly to achieve, we investigate 
approximate privacy. Specifically, we formulate both worst-case and average- 
case versions of the privacy-approximation ratio of a function / in order to 
quantify the amount of privacy that can be maintained by parties who supply 
sensitive inputs to a distributed computation of /. We also study the tradeoff 
between privacy preservation and communication complexity. 

Our points of departure are the work of Chor and Kushilevitz [8] on char- 
acterization of privately computable functions and that of Kushilevitz [171 on 
the communication complexity of private computation. Starting from the same 
place. Bar- Yehuda et al. [2] also provided a framework in which to quantify the 
amount of privacy that can be maintained in the computation of a function and 
the communication cost of achieving it. Their definitions and results are signif- 
icantly different from the ones we present here (see discussion in Appendix E| : 
as explained in Section [5] below, a precise characterization of the relationship 
between their formulation and ours is an interesting direction for future work. 

1.1 Our Approach 

Consider an auction of a Bluetooth headset with 2 bidders, 1 and 2, in which 
the auctioneer accepts bids ranging from $0 to $7 in $1 increments. Each bidder 
i has a private value Xi G {0, . . . , 7} that is the maximum he is willing to pay 
for the headset. The item is sold in a 2"'^-price Vickrey auction, i.e., the higher 
bidder gets the item (with ties broken in favor of bidder 1), and the price he pays 
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is the lower bid. The demand for privacy arises naturally in such scenarios P^ : 
In a straightforward protocol, the auctioneer receives sealed bids from both 
bidders and computes the outcome based on this information. Say, e.g., that 
bidder 1 bids $3, and bidder 2 bids $6. The auctioneer sells the headset to bidder 
2 for $3. It would not be at all surprising however if, in subsequent auctions of 
headsets in which bidder 2 participates, the same auctioneer set a reservation 
price of $5. This could be avoided if the auction protocol allowed the auctioneer 
to learn the fact that bidder 2 was the highest bidder (something he needs to 
know in order to determine the outcome) but did not entail the full revelation 
of 2's private value for the headset. 
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Figure 1: The minimal knowledge requirements for 2"'''-price auctions 



Observe that, in some cases, revelation of the exact private information of 
the highest bidder is necessary. For example, if xi = 6, then bidder 2 will win 
only if X2 = 7. In other cases, the revelation of a lot of information is necessary, 
e.g., if bidder I's bid is 5, and bidder 2 outbids him, then X2 must be either 
6 or 7. An auction protocol is said to achieve perfect objective privacy if the 
auctioneer learns nothing about the private information of the bidders that is 
not needed in order to compute the result of the auction. Figure [U illustrates 
the information the auctioneer must learn in order to determine the outcome 
of the 2"^-price auction described above. Observe that the auctioneer's failure 
to distinguish between two potential pairs of inputs that belong to different 
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rectangles in Fig. [T] implies his inability to determine the winner or the price 
the winner must pay. Also observe, however, that the auctioneer need not be 
able to distinguish between two pairs of inputs that belong to the same rectangle. 

Using the "minimal knowledge requirements" described in Fig.[Tl we can now 
characterize a perfectly (objective) privacy-preserving auction protocol as one 
that induces this exact partition of the space of possible inputs into subspaces in 
which the inputs are indistinguishable to the auctioneer. Unfortunately, perfect 
privacy is often hard or even impossible to achieve. For 2"''-price auctions, 
Brandt and Sandholm [5] show that every perfectly private auction protocol 
has exponential communication complexity. This provides the motivation for 
our definition of privacy-approximation ratio: We are interested in whether 
there is an auction protocol that achieves "good" privacy guarantees without 
paying such a high price in computational efficiency. We no longer insist that the 
auction protocol induce a partition of inputs exactly as in Fig. [T] but rather that 
it "approximate" the optimal partition well. We define two kinds of privacy- 
approximation ratio (PAR): worst-case PAR and average-case PAR. 

The worst-case PAR of a protocol P for the 2"'^-price auction is defined 
as the maximum ratio between the size of a set S of indistinguishable inputs 
in Fig. [1] and the size of a set of indistinguishable inputs induced by P that 
is contained in S. If a protocol is perfectly privacy preserving, these sets are 
always the same size, and so the worst-case PAR is 1. If, however, a protocol 
fails to achieve perfect privacy, then at least one "ideal" set of indistinguishable 
inputs strictly contains a set of indistinguishable inputs induced by the protocol. 
In such cases, the worst-case PAR will be strictly higher than 1. 

Consider, e.g., the sealed-bid auction protocol in which both bidders reveal 
their private information to the auctioneer, who then computes the outcome. 
Obviously, this naive protocol enables the auctioneer to distinguish between 
every two pairs of private inputs, and so each set of indistinguishable inputs 
induced by the protocol contains exactly one element. The worst-case PAR 
of this protocol is therefore 1 = 8. (If bidder 2's value is 0, then in Fig. [1] 
the auctioneer is unable to determine which value in {0, . . . , 7} is Xi. In the 
sealed bid auction protocol, however, the auctioneer learns the exact value of 
xi.) The average-case PAR is a natural Bayesian variant of this definition: We 
now assume that the auctioneer has knowledge of some market statistics, in 
the form of a probability distribution over the possible private information of 
the bidders. PAR in this case is defined as the average ratio and not as the 
maximum ratio as before. 

Thus, intuitively, PAR captures the effect of a protocol on the privacy 
(in the sense of indistinguishability from other inputs) afforded to protocol 
participants — it indicates the factor by which, in the worst case or on aver- 
age, using the protocol to compute the function, instead of just being told the 
output, reduces the number of inputs from which a given input cannot be dis- 
tinguished. To formalize and generalize the above intuitive definitions of PAR, 
we make use of machinery from communication-complexity theory. Specifically, 
we use the concepts of monochromaticity and tilings to make formal the notions 
of sets of indistinguishable inputs and of the approximability of privacy. We 
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discuss other notions of approximate privacy in Section [51 

1.2 Our Findings 

We present both upper and lower bounds on the privacy-approximation ratio 
for both the milhonaires problem and 2"''-price auctions with 2 bidders. Our 
analysis of these two environments takes place within Yao's 2-party commu- 
nication model [23) . in which the private information of each party is a A:-bit 
string, representing a value in {0,...,2'' — 1}. In the millionaires problem, 
the two parties (the millionaires) wish to keep their private information hidden 
from each other. We refer to this goal as the preservation of subjective privacy. 
In electronic-commerce environments, each party (bidder) often communicates 
with the auctioneer via a secure channel, and so the aim in the 2"'^-price auction 
is to prevent a third party (the auctioneer), who is unfamiliar with any of the 
parties' private inputs, from learning "too much" about the bidders. This goal 
is referred to, in this paper, as the preservation of objective privacy. 

Informally, for both the 2"''-price Vickrey auction and the millionaires prob- 
lem, we obtain the following results: We show that not only is perfect privacy 
impossible or infeasibly costly to achieve, but even close approximations of per- 
fect privacy suffer from the same lower bounds. By contrast, we show that, if the 
values of the parties are drawn uniformly at random from {0, . . . , 2*^ — 1}, then, 
for both problems, simple and natural communication protocols have privacy- 
approximation ratios that are linear in k (i.e., logarithmic in the size of the 
space of possible inputs) . We conjecture that this improved PAR is achievable 
for any probability distribution. The correctness of this conjecture would imply 
that, no matter what beliefs the protocol designer may have about the parties' 
private values, a protocol that achieves reasonable privacy guarantees exists. 

Importantly, our results for the 2"'*-price Vickrey auction are obtained by 
proving a more general result for a large family of protocols for single-item auc- 
tions, termed ^^bounded-bisection auctions", that contains both the celebrated 
ascending-price English auction and the class of bisection auctions [14l[T5] . 

We show that our results for the millionaires problem also extend to the 
classic economic problem of provisioning a public good, by observing that, in 
terms of privacy-approximation ratios, the two problems are, in fact, equivalent. 

1.3 Related Work: Defining Privacy-Preserving Compu- 
tation 

1.3.1 Communication-Complexity-Based Privacy Formulations 

As explained above, the privacy work of Bar- Yehuda et al. [2] and the work 
presented in this paper have common ancestors in [8l[T7] . Similarly, the work of 
Brandt and Sandholm [6 uses Kushilevitz's formulation to prove an exponential 
lower bound on the communication complexity of privacy-preserving 2"''-price 
Vickrey auctions. We elaborate on the relation of our work to that of Bar- 
Yehuda et al. j2j in Appendix \K\ 
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Similarly to [31|51[T7], our work focuses on the two-party deterministic com- 
munication model. We view our results as first step in a more general research 
agenda, outlined in Sec. [51 

There are many formulations of privacy-preserving computation, both exact 
and approximate, that are not based on the definitions and tools in [SHI]- We 
now briefly review some of them and explain how they differ from ours. 

1.3.2 Secure, Multiparty Function Evaluation 

The most extensively developed approach to privacy in distributed computation 
is that of secure, multiparty function evaluation (SMFE). Indeed, to achieve 
agent privacy in algorithmic mechanism design, which was our original moti- 
vation, one could, in principle, simply start with a strategyproof mechanism 
and then have the agents themselves compute the outcome and payments using 
an SMFE protocol. However, as observed by Brandt and Sandholm [5], these 
protocols fall into two main categories, and both have inherent disadvantages 
from the point of view of mechanism design: 

• Information-theoretically private protocols, the study of which was initi- 
ated by Ben-Or, Goldwasser, and Wigderson [3] and Chaum, Crepeau, 
and Damgaard [7], rely on the assumption that a constant fraction of 
the agents are "honest" (or "obedient" in the terminology of distributed 
algorithmic mechanism design [H]), i.e., that they follow the protocol per- 
fectly even if they know that doing so will lead to an outcome that is not 
as desirable to them as one that would result from their deviating from 
the protocol; clearly, this assumption is antithetical to the main premise 
of mechanism design, which is that all agents will behave strategically, 
deviating from protocols when and only when doing so will improve the 
outcome from their points of view; 

• Multiparty protocols that use cryptography to achieve privacy, the study 
of which was initiated by Yao [MIE^, rely on (plausible but currently 
unprovable) complexity-theoretic assumptions. Often, they are also very 
communication-intensive (see, e.g., [B] for an explanation of why some of 
the deficiencies of the Vickrey auction cannot be solved via cryptogra- 
phy). Moreover, sometimes the deployment cryptographic machinery is 
infeasible (over the years, many cryptographic variants of the current in- 
terdomain routing protocol, BGP, were proposed, but not deployed due to 
the infeasibility of deploying a global Internet- wide PKI infrastructure and 
the real-time computational cost of verifying signatures) . For some mech- 
anisms of interest, efficient cryptographic protocols have been obtained 
(see, e.g., [9l[l9]). 

In certain scenarios, the demand for perfect privacy preservation cannot 
be relaxed. In such cases, if the function cannot be computed in a privacy- 
preserving manner without the use of cryptography, there is no choice but to 
resort to a cryptographic protocol. There is an extensive body of work on 
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cryptography-based identity protocols, and we are not offering our notion of 
PAR as an extension of that work. (In fact, the framework described here 
might be applied to SMFE protocols by replacing indistinguishability by com- 
putational indistinguishability. However, this does not appear to yield any new 
insights.) 

However, in other cases, we argue that privacy preservation should be re- 
garded as one of several design goals, alongside low computational/communication 
complexity, protocol simplicity, incentive-compatibility, and more. Therefore, it 
is necessary to be able to quantify privacy preservation in order to understand 
the tradeoffs among the different design goals, and obtain "reasonable" (but 
not necessarily perfect) privacy guarantees. Our PAR approach continues the 
long line of research about information-theoretic notions of privacy, initiated by 
Ben-Or et al. and by Chaum et al. Regardless of the above argument, we believe 
that information-theoretic formulations of privacy and approximate privacy are 
also natural to consider in their own right. 

1.3.3 Private Approximations and Approximate Privacy 

In this paper, we consider protocols that compute exact results but preserve 
privacy only approximately. One can also ask what it means for a protocol 
to compute approximate results in a privacy-preserving manner; indeed, this 
question has also been studied [51 [TT1[TB] , but it is unrelated to the questions we 
ask here. Similarly, definitions and techniques from differential privacy j lOj (see 
also [13]), in which the goal is to add noise to the result of a database query 
in such a way as to preserve the privacy of the individual database records 
(and hence protect the data subjects) but still have the result convey nontrivial 
information, are inapplicable to the problems that we study here. 

1.4 Paper Outline 

In the next section, we review and expand upon the connection between perfect 
privacy and communication complexity. We present our formulations of approx- 
imate privacy, both worst case and average case, in Section |3l we present our 
main results in Sections |3] and [5] Discussion and future directions can be found 
in Section ini 

2 Perfect Privacy and Communication Complex- 
ity 

We now briefly review Yao's model of two-party communication and notions 
of objective and subjective perfect privacy; see Kushilevitz and Nisan [TH] for 
a comprehensive overview of communication complexity theory. Note that we 
only deal with deterministic communication protocols. Our definitions can be 
extended to randomized protocols. 
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2.1 Two-Party Communication Model 

There are two parties, 1 and 2, each holding a /c-bit input string. The in- 
put of party i, Xi € {0, 1}'^, is the private information of i. The parties 
communicate with each other in order to compute the value of a function 
/ : {0, l}*^ X {0,1}'^ — > {0,1}*. The two parties alternately send messages 
to each other. In communication round j, one of the parties sends a bit qj 
that is a function of that party's input and the history (gi, . . . , (7j_i) of pre- 
viously sent messages. We say that a bit is meaningful if it is not a constant 
function of this input and history and if, for every meaningful bit transmitted 
previously, there some combination of input and history for which the bit differs 
from the earlier meaningful bit. Non-meaningful bits {e.g., those sent as part of 
protocol-message headers) are irrelevant to our work here and will be ignored. A 
communication protocol dictates, for each party, when it is that party's turn to 
transmit a message and what message he should transmit, based on the history 
of messages and his value. 

A communication protocol P is said to compute / if, for every pair of inputs 
{x\,X2)i it holds that P{xi,X2) — f{xi,X2)- As in [17], the last message sent in 
a protocol P is assumed to contain the value f{xi , X2) and therefore may require 
up to t bits. The communication complexity of a protocol P is the maximum, 
over all input pairs, of the number of bits transmitted during the execution of 
P. 

Any function / : {0, 1}*' x {0, 1}*' {0, 1}* can be visualized as a 2'^' x 2'^ 
matrix with entries in {0, 1}*, in which the rows represent the possible inputs 
of party 1, the columns represent the possible inputs of party 2, and each entry 
contains the value of / associated with its row and column inputs. This matrix 
is denoted by A{f). 

Definition 1 (Regions, partitions) A region in a matrix A is any subset of 
entries in A (not necessarily a suhmatrix of A). A partition of A is a collection 
of disjoint regions in A whose union equals A. 

Definition 2 (Monochromaticity) A region R in a matrix A is called mono- 
chromatic if all entries in R contain the same value. A monochromatic partition 
of A is a partition all of whose regions are monochromatic. 

Of special interest in communication complexity are specific kinds of regions 
and partitions called rectangles, and tilings, respectively: 

Definition 3 (Rectangles, Tilings) A rectangle in a matrix A is a suhmatrix 
of A. A tiling of a matrix A is a partition of A into rectangles. 

Definition 4 (Refinements) A tiling Ti{f) of a matrix A{f) is said to be a 
refinement of another tiling T2{f) of A{f) if every rectangle inTi{f) is contained 
in some rectangle in T2{f). 
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Monochromatic rectangles and tilings are an important concept in commu- 
nication-complexity theory, because they are linked to the execution of commu- 
nication protocols. Every communication protocol P for a function / can be 
thought of as follows: 

1. Let R and C be the sets of row and column indices of A{f), respectively. 
For R' C R and C C C, we will abuse notation and write R' x C" to 
denote the submatrix of A{f) obtained by deleting the rows not in R' and 
the columns not in C". 

2. While R X C is not monochromatic: 

• One party i e {0, 1} sends a single bit q (whose value is based on xi 
and the history of commmiication). 

• li i — 1, q indicates whether I's value is in one of two disjoint sets 

i?2 whose union equals R. If xi S both parties set R = Ri. 
If xi e i?2, both parties set R — R2- 

• If 2 = 2, g indicates whether 2's value is in one of two disjoint sets 
Ci,C2 whose union equals C. If X2 € Ci, both parties set C = Ci. 
If X2 £ C2, both parties set C — C2- 

3. One of the parties sends a last message (consisting of up to t bits) con- 
taining the value in all entries of the monochromatic rectangle R x C. 

Observe that, for every pair of private inputs (xi, X2), P terminates at some 
monochromatic rectangle in A{f) that contains {xi,X2)- We refer to this rect- 
angle as "t/ie monochromatic rectangle induced by P for [xi,X2)" ■ We refer to 
the tiling that consists of all rectangles induced by P (for all pairs of inputs) as 
"t/ie monochromatic tiling induced by P" . 



Figure 2: A tiling that cannot be induced by any communication protocol [17] 



Remark 2.1 There are monochromatic tilings that cannot be induced by com- 
munication protocols. For example, observe that the tiling in Fig. (which is 
essentially an example from fTTjj) has this property. 
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2.2 Perfect Privacy 

Informally, we say that a two-party protocol is perfectly privacy-preserving if 
the two parties (or a third party observing the communication between them) 
cannot learn more from the execution of the protocol than the value of the 
function the protocol computes. (These definition can be extended naturally to 
protocols involving more than two participants.) 

Formally, let P be a communication protocol for a function /. The commu- 
nication string passed in P is the concatenation of all the messages (qi,q2 • ■ •) 
sent in the course of the execution of P. Let S(a;i,a;2) denote the communication 
string passed in P if the inputs of the parties are {xi,X2)- We are now ready 
to define perfect privacy. The following two definitions handle privacy from the 
point of view of a party i that does not want the other party (who is, of course, 
familiar not only with the communication string, but also with his own value) to 
learn more than necessary about i's private information. We say that a protocol 
is perfectly private with respect to party 1 if 1 never learns more about party 
2's private information than necessary to compute the outcome. 

Definition 5 (Perfect privacy v^ritii respect to 1) f51[77|/ P is perfectly 
private with respect to party 1 if, for every X2, x'2 such that f{xi, X2) = f{xi, x'2), 
it holds that s^^^^^.^) = ■5(a:i,x^)- 

Informally, Def. [5]says that party I's knowledge of the communication string 
passed in the protocol and his knowledge of a;i do not aid him in distinguishing 
between two possible inputs of 2. Similarly: 

Definition 6 (Perfect privacy v^rith respect to 2) fUl j7|/ P is perfectly 
private with respect to party 2 if, for every xi,x'i such that f{xi,X2) — fix'i, X2), 
it holds that S(^^^^^,^) = S(a:i,x2)- 

Observation 2.2 For any function f , the protocol in which party i reveals Xi 
and the other party computes the outcome of the function is perfectly private 
with respect to i. 

Definition 7 (Perfect subjective privacy) P achieves perfect subjective pri- 
vacy if it is perfectly private with respect to both parties. 

The following definition considers a different form of privacy — privacy from 
a third party that observes the communication string but has no a priori knowl- 
edge about the private information of the two communicating parties. We refer 
to this notion as objective privacy^\ 

Definition 8 (Perfect objective privacy) P achieves perfect objective pri- 
vacy if, for every two pairs of inputs {xi,X2) and {x'i,x'2) such that f{xi,X2) = 
f{x'i,X2), it holds that S(^r,^^^^) = s^^'^^^'^y 

Kushilevitz |17| was the first to point out the interesting connections between 
perfect privacy and communication-complexity theory. Intuitively, we can think 



10 



of any monochromatic rectangle R in the tihng induced by a protocol P as a 
set of inputs that are indistinguishable to a third party. This is because, by 
definition of R, for any two pairs of inputs in R, the communication string 
passed in P must be the same. Hence we can think of the privacy of the 
protocol in terms of the tiling induced by that protocol. 

Ideally, every two pairs of inputs that are assigned the same outcome by 
a function / will belong to the same monochromatic rectangle in the tiling 
induced by a protocol for /. This observation enables a simple characterization 
of perfect privacy-preserving mechanisms. 

Definition 9 (Ideal monochromatic partitions) A monochromatic region 
in a matrix A is said to be a maximal monochromatic region if no monochro- 
matic region in A properly contains it. The ideal monochromatic partition of A 

is made up of the maximal monochromatic regions. 

Observation 2.3 For every possible value in a matrix A, the maximal mono- 
chromatic region that corresponds to this value is unique. This implies the 
uniqueness of the ideal monochromatic partition for A. 

Observation 2.4 (A characterization of perfectly privacy-preserving 
protocols) A communication protocol P for / is perfectly privacy-preserving 
iff the monochromatic tiling induced by P is the ideal monochromatic partition 
of A{f). This holds for all of the above notions of privacy. 

3 Privacy- Approximation Ratios 

Unfortunately, perfect privacy should not be taken for granted. As shown by 

our results, in many environments, perfect privacy can be either impossible or 
very costly (in terms of communication complexity) to obtain. To measure a 
protocol's effect on privacy, relative to the ideal — but perhaps impossible to 
implement — computation of the outcome of a problem, we introduce the notion 
of privacy- approximation ratios (PARs). 

3.1 Worst-Case PARs 

For any communication protocol P for a function /, we denote by R^(xi, X2) the 
monochromatic rectangle induced by P for (xi,X2). We denote by R^{xi,X2) 
the monochromatic region containing ^(/)(£!;i,£C2) the ideal monochromatic 
partition of A(f ). Intuitively, R^ {xi,X2) is the set of inputs that are indis- 
tinguishable from {xi,X2) to P. R^ {X1.X2) is the set of inputs that would he 
indistinguishable from {xi,X2) if perfect privacy were preserved. We wish to 
asses how far one is from the other. The size of a region i?, denoted by \R\, is 
the cardinality of R, i.e., the number of inputs in R. 

We can now define worst-case objective PAR as follows: 
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Definition 10 (Worst-case objective PAR of P) The worst-case objective 
privacy-approximation ratio of communication protocol P for function f is 

\R^{xi,X2)\ 

a = max - — ^- --. 

{xi,X2) \R^{Xi,X2)\ 

We say that P is a-objective-privacy-preserving in the worst case. 

Definition 11 (i-partitions) The 1-partition of a region R in a matrix A is 
the set of disjoint rectangles Rx^ = {xi} x {x2 s.t. {xi,X2) G R} (over all 
possible inputs x\). 2-partitions are defined analogously. 

Intuitively, given any region R in the matrix A{f)^ if party i's actual private 
information is Xi, then i can use this knowledge to eliminate all the parts of R 
other than R^^. Hence, the other party should be concerned not with R but 
rather with the i-partition of R. 

Definition 12 (z-induced tilings) The i-induced tiling of a protocol P is the 
refinement of the tiling induced by P obtained by i-partitioning each rectangle 
in it. 

Definition 13 (i-ideal monochromatic partitions) The i-ideal monochro- 
matic partition is the refinement of the ideal monochromatic partition obtained 
by i-partitioning each region in it. 

For any communication protocol P for a function /, we use i?f {xi,X2) to 
denote the monochromatic rectangle containing A{f)i^xi,x2) the i-induced 
tiling for P. We denote by Rj {xi,X2) the monochromatic rectangle contain- 
ing ^(/)(a;i,x2) ill the i-ideal monochromatic partition of A{f). 

Definition 14 (Worst-case PAR of P with respect to i) The worst-case 
privacy-approximation ratio with respect to i of communication protocol P for 
function f is 

\Ri{xuX2)\ 

a = max - — p- --. 

(XUX2) \Rl[Xi,X2)\ 

We say that P is a-privacy-preserving with respect to i in the worst case. 

Definition 15 (Worst-case subjective PAR of P) The worst-case subjec- 
tive privacy-approximation ratio of communication protocol P for function f is 
the maximum of the worst-case privacy- approximation ratio with respect to each 
party. 

Definition 16 (Worst-case PAR) The worst-case objective (subjective) PAR 
for a function / is the minimum, over all protocols P for f, of the worst-case 
objective (subjective) PAR of P. 
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3.2 Average-Case PARs 



As we shall see below, it is also useful to define an average-case version of 
PAR. As the name suggests, the average-case objective PAR is the average 
ratio between the size of the monochromatic rectangle containing the private 
inputs and the corresponding region in the ideal monochromatic partition. 

Definition 17 (Average-case objective PAR of P) Let D he a probabil- 
ity distribution over the space of inputs. The average-case objective privacy- 
approximation ratio 0/ communication protocol P for function f is 

\R^{X1,X2)\ 1 
\R^[Xi,X2)\ 

We say that P is a-objective privacy-preserving in the average case with 
distribution D (or with respect to D). 

We define average-case PAR with respect to i analogously, and average-case 
subjective PAR as the maximum over all players i of the average-case PAR 
with respect to i. We define the average-case objective (subjective) PAR for 
a function f as the minimum, over all protocols P for /, of the average-case 
objective (subjective) PAR of P. 

4 The Millionaires Problem and Public Goods: 
Bounds on PARs 

In this section, we prove upper and lower bounds on the privacy-approximation 
ratios for two classic problems: Yao's millionaires problem and the provision of 
a public good. 

4.1 Problem Specifications 

The millionaires problem. Two millionaires want to know which one is 
richer. Each millionaire's wealth is private information known only to him, and 
the millionaire wishes to keep it that way. The goal is to discover the identity of 
the richer millionaire while preserving the (subjective) privacy of both parties. 

Definition 18 (The Millionaires Problem^) 

Input: xi, X2 S {0, . . . , 2*^ — 1} (each represented by a k-bit string) 

Output: the identity of the party with the higher value, i.e., argmax^gjo ij 

(breaking ties lexicographically). 

There cannot be a perfectly privacy-preserving communication protocol for 
The Millionaires Problem^ [T7]. Hence, we are interested in the PARs for 
this well studied problem. 
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The public-good problem. There are two agents, each with a private value 
in {0, . . . , 2'^ — 1} that represents his benefit from the construction of a public 
project (public good), e.g., a bridgeQ The goal of the social planner is to build 
the public project only if the sum of the agents' values is at least its cost, where, 
as in [I], the cost is set to be 2*^ — 1. 

Definition 19 (Public GoODfc) 

Input: xi,X2 G {0, . . . , 2*^ — 1} (each represented by a k-bit string) 
Output: "Build" if xi + > 2*^ - 1, "Do Not Build" otherwise. 

It is easy to show (via Observation 12. 4p that for Public GoODfc, as for 
The Millionaires Problem^, no perfectly privacy-preserving communication 
protocol exists. Therefore, we are interested in the PARs for this problem. 

4.2 The Millionaires Problem 

The following theorem shows that not only is perfect subjective privacy unattain- 
able for The Millionaires Problem^, but a stronger result holds: 

Theorem 4.1 (A worst-case lower bound on subjective PAR) No com- 
munication protocol for The Millionaires ProbleM/j has a worst-case sub- 
jective PAR less than 2^. 

Proof: Consider a communication protocol P for The Millionaires Prob- 
LEMfc. Let R represent the space of possible inputs of millionaire 1, and let 
C represent the space of possible inputs of millionaire 2. In the beginning, 
R = C = {0, . . . , 2*^ — 1}. Consider the first (meaningful) bit q transmitted in 
course of P's execution. Let us assume that this bit is transmitted by millionaire 
1. This bit indicates whether I's value belongs to one of two disjoint subsets of 
R, Ri and i?2, whose union equals R. Because we are interested in the worst 
case, we can choose adversarially to which of these subsets I's input belongs. 
Without loss of generality, let G We decide adversarially that I's value is 
in Ri and set R = Ri. Similarly, if q is transmitted by millionaire 2, then we 
set C to be the subset of C containing in the partition of 2's inputs induced 
by q. We continue this process recursively for each bit transmitted in P. 

Observe that, as long as both R and C contain at least two values, P is inca- 
pable of computing The Millionaires PROBLEMfe. This is because belongs 
to both R and C, and so P cannot eliminate, for either of the millionaires, the 
possibility that that millionaire has a value of and the other millionaire has a 
positive value. Hence, this process will go on until P determines that the value 
of one of the millionaires is exactly 0, i.e., until either R ~ {0} or C = {0}. Let 
us examine these two cases: 

• Case I: i? = {0}. Consider the subcase in which X2 equals 0. Recall that 
e C, and so this is possible. Observe that, in this case, P determines 

^This is a discretization of the classic public good problem, in which the private values are 
taken from an interval of reals, as in [l][5]. 
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the exact value of xi, despite the fact that, in the 2-ideal- monochromatic 
partition, all 2^ possible values of x\ are in the same monochromatic 
rectangle when 2:2 = (because for all these values 1 wins). Hence, we 
get a lower bound of 2^ on the subjective privacy-approximation ratio. 

• Case II: C = {0}. Let to denote the highest input in R. We consider 
two subcases. If to < 2^, then observe that the worst-case subjective 
privacy- approximation ratio is at least 2'2. In the 2-ideal-monochromatic 
partition, all 2*^ possible values of x\ are in the same monochromatic 
rectangle if X2 — 0, and the fact that m < 22 implies that \R\ < 2^. 

If, on the other hand, m > 2^ , then consider the case in which xi — m 
and X2 — 0. Observe that, in the 1-ideal-monochromatic partition, all 
values of millionaire 2 in {0, . . . , to — 1} are in the same monochromatic 
rectangle if xi = to. However, P will enable millionaire 1 to determine 
that millionaire 2's value is exactly 0. This implies a lower bound of to on 
the subjective privacy-approximation. We now use the fact that m > 22 
to conclude the proof. 

□ 

By contrast, we show that fairly good privacy guarantees can be obtained in 
the average case. We define the Bisection Protocol for The Millionaires 
Problem^ as follows: Ask each millionaire whether his value lies in [0, 2^^"^) or 
in [2'^~^,2'^); continue this binary search until the millionaires' answers differ, 
at which point we know which millionaire has the higher value. If the answers 
never differ the tie is broken in favor of millionaire 1. 

We may exactly compute the average-case subjective PAR with respect to 
the uniform distribution for the Bisection Protocol applied to The Mil- 
lionaires Problem^. Figure [3] illustrates the approach. The far left of the 
figure shows the ideal partition (for fc = 3) of the value space for The Million- 
aires Problem^; these regions are indicated with heavy lines in all parts of the 
figure. The center-left shows the 1-partition of the regions in the ideal partition; 
the center-right shows the 1-induced tiling that is induced by the Bisection 
Protocol. The far right illustrates how we may rearrange the tiles that parti- 
tion the bottom-left region in the ideal partition (by reflecting them across the 
dashed line) to obtain a tiling of the value space that is the same as the tiling 
induced by applying the Bisection Auction to 2nd-Price Auction^. 

Theorem 4.2 The average-case subjective PAR of the bisection proto- 
col The average-case subjective PAR with respect to the uniform distribution 
for the Bisection Protocol applied to The Millionaires Problem^ is 

Proof: Given a value of i, consider the j-induced-tiling obtained by running 
the Bisection Protocol for The Millionaires Problem^ (as in the center- 
right of Fig. [3] for 1 = 1). Rearrange the rectangles in which player i wins by 
reflecting them across the line running from the bottom-left corner to the top- 
right corner (the dashed line in the far right of Fig. [3|) . This produces a tiling 
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Figure 3: Left to right: The ideal partition (for k ^ 3) for The Millionaires 
PROBLEMfe; the 1-partition of the ideal regions; the 1-induced tihng induced by 
the Bisection Protocol; the rearrangement used in the proof of Thm. 14.21 



of the value space in which the region in which player 1 wins is tiled by tiles of 
width 1, and the region in which player 2 wins is tiled by tiles of height 1; in 
computing the average-case- approximate- privacy with respect to i, the tile-size 
ratios that we use are the heights (widths) of the tiles to the height (width) of 
the tile containing all values in that column (row) for which player 1 (2) wins. 
This tiling and the tile-size ratios in question are exactly as in the computation 
of the average-case objective privacy for 2nd-Price Auction^; the argument 
used in Thm. [5781 (for g{k) — k) below completes the proof. □ 

Consider the case in which a third party is observing the interaction of the 
two millionaires. How much can this observer learn about the private informa- 
tion of the two millionaires? We show that, unlike the case of subjective privacy, 
good PARs are unattainable even in the average case. 

Because the values (z, i) (in which case player 1 wins) and the values (i, 
(in which player 2 wins) must all appear in different tiles in any tiling that refines 
the ideal partition of the value space for The Millionaires PROBLEMfc, any 
such tiling must include at least 2^ tiles in which player 1 wins and 2^^ — 1 tiles 
in which player 2 wins. The total contribution of a tile in which player 1 wins is 
the number of values in that tile times the ratio of the ideal region containing 
the tile to the size of the tile, divided by the total number (2^*^) of values in 

the space. Each tile in which player 1 wins thus contributes ^ 2^*=+^ — 
average-case PAR under the uniform distribution; similarly, each tile in which 

player 2 wins contributes ^a^+i ^'^ ^^^^ quantity. This leads directly to the 
following result. 

Proposition 4.3 (A lower bound on average-case objective PAR) The 

average-case objective PAR for The Millionaires Problem^^; with respect to 
the uniform distribution is at least 2*^ — ^ -f- 2^^'^+"'^'. 

There are numerous different tilings of the value space that achieve this ratio 
and that can be realized by communication protocols. For the Bisection Pro- 
tocol, we obtain the same exponential (in fc) growth rate but with a larger 
constant factor. 
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Proposition 4.4 (The average-case objective PAR of the bisection pro- 
tocol) The Bisection Protocol for The Millionaires PROBLEMfc obtains 
an average-case objective PAR of 3 • 2^^^ — i with respect to the uniform dis- 
tribution. 

Proof: Tlie bisection mechanism induces a tiling that refines the ideal par- 
tition and that has 2*^+^ — 1 tiles in which the player 1 wins and 2^ — 1 tiles 
in which the player 2 wins. The contributions of each of these tiles is as noted 
above, from which the result follows. □ 

Finally, Table [1] summarizes our average-case PAR results (with respect to 
the uniform distribution) for The Millionaires Problem^. 





Average-Case Obj. PAR 


Average-Case Subj. PAR 


Any Protocol 






Bisection Protocol 


Sofe 1 
2^ 2 


- + 1 

2 ^ 



Table 1: Average-case PARs for The Millionaires Problem^ 



4.3 The Public-Good Problem 

The government is considering the construction of a bridge (a public good) at 
cost c. Each taxpayer has a /c-bit private value that is the utility he would gain 
from the bridge if it were built. The government wants to build the bridge if 
and only if the sum of the taxpayers' private values is at least c. In the case that 
c = 2*^ — 1, we observe that X2 = c — a;2 is again a /c-bit value and that x\+X2 > c 
if and only if xi > X2', from the perspective of PAR, this problem is equivalent to 
solving The Millionaires Problem^ on inputs xi and X2- We may apply our 
results for The Millionaires PROBLEMfc to see that the public-good problem 
with c = 2*^ — 1 has exponential average-case objective PAR with respect to the 
uniform distribution. Appendix |B] discusses average-case objective PAR for a 
truthful version of the public-good problem. 

5 Auctions: Bounds on PARs 

In this section, we present upper and lower bounds on the privacy-approximation 
ratios for the 2'"^-price Vickrey auction. 

5.1 Problem Specification 

2"'^-price Vickrey auction. A single item is offered to 2 bidders, each with 
a private value for the item. The auctioneer's goal is to allocate the item to 
the bidder with the highest value. The fundamental technique in mechanism 
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design for inducing truthful behavior in single-item auctions is Vickrey's 2"'^- 
price auction [22 : Allocate the item to the highest bidder, and charge him the 
second-highest bid. 

Definition 20 (2nd-Price Auction^) 

Input: Xi,X2 G {0, . . . , 2*^' — 1} (each represented by a k-bit string) 

Output: the identity of the party with the higher value, i.e., argmaxjg^g ij cCi 

(breaking ties lexicographically) , and the private information of the of the other 

party. 

Brandt and Sandholm [6 show that a perfectly privacy-preserving commu- 
nication protocol exists for 2nd-Price AuCTiONfc. Specifically, perfect privacy 
is obtained via the ascending-price English auction: Start with a price of p = 
for the item. In each time step, increase p by 1 until one of the bidders indicates 
that his value for the item is less than p (in each step first asking bidder 1 and 
then, if necessary, asking bidder 2). At that point, allocate the item to the other 
bidder for a price of p — 1. If p reaches a value of 2*"' — 1 (that is, the values of 
both bidders are 2*^ — 1) allocate the item to bidder 1 for a price of 2*^ — 1. 

Moreover, it is shown in [5] that the English auction is essentially the only 
perfectly privacy-preserving protocol for 2nd-Price AuCTiONfe. Thus, perfect 
privacy requires, in the worst-case, the transmission of J7(2'^) bits. 2k bits suffice, 
because bidders can simply reveal their inputs. Can we obtain "good" privacy 
without paying such a high price in communication? 

5.2 Objective Privacy PARs 

We now consider objective privacy for 2nd-Price Auction^ {i.e., privacy with 
respect to the auctioneer). Bisection auctions [T4l[T5] for 2nd-Price Auc- 
TiONfc are defined similarly to the Bisection Protocol for The Million- 
aires Problem^: Use binary search to find a value c that lies between the two 
bidders' values, and let the bidder with the higher value be bidder j. (If the 
values do not differ, we will also discover this; in this case, award the item to 
bidder 1, who must pay the common value.) Use binary search on the interval 
that contains the value of the lower bidder in order to find the value of the lower 
bidder. Bisection auctions are incentive-compatible in ex-post Nash [l4|[15]. 

More generally, we refer to an auction protocol as a c-bisection auction, 
for a constant c G (0, 1), if in each step the interval R is partitioned into two 
disjoint subintervals: a lower subinterval of size c\R\ and an upper subinterval 
of size (1 - c)\R\. Hence, the Bisection Auction is a c-bisection auction with 
c = i. We prove that no c-bisection auction for The Millionaires PROBLEMfc 
obtains a subexponential objective PAR: 

Theorem 5.1 (A worst-case lower bound for c-bisection auctions) For 

any constant c > the c-bisection auction for 2nd-Price Auction^ has a 
worst-case PAR of at least 2^ . 
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Proof: Consider the ideal monochromatic partition of 2nd-Price Auction^: 
depicted for = 3 in Fig. [TJ Observe that, for perfect privacy to be preserved, 
it must be that bidder 2 transmits the first (meaningful) bit, and that this 
bit partitions the space of inputs into the leftmost shaded rectangle (the set 
{0, . . . , 2*^ — 1} X {0}) and the rest of the value space (ignoring the rectangles 
depicted that further refine {0, . . . , 2*^ - 1} x {1, . . . , 2*-' — 1}). What if the first 
bit is transmitted by player 2 and does not partition the space into rectangles in 
that way? We observe that any other partition of the space into two rectangles 
is such that, in the worst case, the privacy-approximation ratio is at least 2 2 
(for any value of c): If c < 1 — , then the case in which x\ = — 1 gives us 
the lower bound. If, on the other hand, c > 1 — 2~2 , then the case that xi = 
gives us the lower bound. Observe that such a bad PAR is also the result of 
bidder I's transmitting the first (meaningful) bit. □ 

By contrast, as for The Millionaires Problem;;, reasonable privacy guar- 
antees are achievable in the average case: 

Theorem 5.2 (The average-case objective PAR of the bisection auc- 
tion) The average-case objective PAR of the Bisection Auction is | -f 1 
with respect to the uniform distribution. 

Proof: This follows by taking g{k) = fc in Thm. [SH □ 

We note that the worst-possible approximation of objective privacy comes 
when the each value in the space is in a distinct tile; this is the tiling induced by 
the sealed-bid auction. The resulting average-case privacy-approximation ratio 
is exponential in k. 

Proposition 5.3 (Largest possible objective PAR) The largest possible (for 
any protocol) average-case objective PAR with respect to the uniform distribution 
for 2nd-Price AuCTiONfe is 



1 

22fe 
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5.3 Subjective Privacy PARs 

We now look briefly at subjective privacy for 2nd-Price AuCTiONfe. For sub- 
jective privacy with respect to 1, we start with the 1-partition for 2nd-Price 
Auction^; Fig. 0] shows the refinement of the 1-partition induced by the Bi- 
section Auction for k — i. Separately considering the refinement of the 
2-partition for 2nd-Price Auction^, by the Bisection Auction, we have the 
following results. 

Theorem 5.4 (The average-case PAR with respect to 1 of the bisec- 
tion auction) The average-case PAR with respect to 1 of the Bisection 
Auction is 

fc + 3 fc - 1 
~ 2fc+2 
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Figure 4: The Bisection- AuCTiON-induced refinement of tire 1-partition for 
2nD-PrICE AuCTIONfe (fc = 4) 



with respeet to the uiriform distribution. 

Proof: This follows by taking g{k) = km Thm. [SHI □ 

Theorem 5.5 (The average-case PAR with respect to 2 of the bisec- 
tion auction) The average-case PAR with respect to 2 of the Bisection 
Auction is 

k+5 k~l 



4 2*^+2 
with respect to the uniform distribution. 

Proof: This follows by taking g{k) = k in Thm. [5l^ □ 

Corollary 5.6 (The average-case subjective PAR of the bisection auc- 
tion) The average-case subjective PAR of the Bisection Auction with re- 
spect to the uniform distribution is 



2fe+2 



As for objective privacy, the sealed-bid auction gives the largest possible 
average-case subjective PAR. 

Proposition 5.7 (Largest possible subjective PAR) The largest possible 
(for any protocol) average-case subjective PAR with respect to the uniform dis- 
tribution for 2nd-Price Auction^ is 

2^ 1 

Hi r- 

3 3-2'= 

Proof: For the sealed-bid auction, the average-case PAR with respect to 1 is 

2*= 2'°~1 



1 

22fc 
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2k 



3 3-2 
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For the sealed-bid auction, the average-case PAR with respect to 2 is 



1 

22fe 



2k 2''-! 




1 



3 • 2^' 



□ 



5.4 Bounded-Bisection Auctions 

We now present a middle ground between the perfectly-private yet highly in- 
efficient (in terms of communication) ascending English auction and the com- 
munication-efficient Bisection Auction whose average-case objective PAR is 
linear in k (and is thus unbounded as k goes to infinity) : We bound the number 
of bisections, using an ascending English auction to determine the outcome if it 
is not resolved by the limited number of bisections. 

We define the Bisection AuCTiONg(fc) as follows: Given an instance of 2nd- 
Price Auction^, and a integer-valued function g{k) such that < g{k) < k, 
run the Bisection Auction as above but do at most g{k) bisection opera- 
tions. (Note that we will never do more than k bisections.) If the outcome is 
undetermined after g(k) bisection operations, so that both players' values lie in 
an interval / of size 2^~^'^^\ apply the ascending-price English auction to this 
interval to determine the identity of the winning bidder and the value of the 
losing bidder. 

As g{k) ranges from to fc, the Bisection AuCTiONg(fe) ranges from the 
ascending-price English auction to the Bisection Auction. If we allow a 
fixed, positive number of bisections (.g(fc) = c > 0), computations show that 
for c = 1,2,3 we obtain examples of protocols that do not provide perfect 
privacy but that do have bounded average-case objective PARs with respect 
to the uniform distribution. We wish to see if this holds for all positive c, 
determine the average-case objective PAR for general g{k), and connect the 
amount of communication needed with the approximation of privacy in this 
family of protocols. The following theorem allows us to do these things. 

Theorem 5.8 For the Bisection Auction^j^^), the average-case objective PAR 
with respect to the uniform distribution equals 



Proof: Fix fc, the number of bits used for bidding, and let c = g{k) be the 
number of bisections; we have < c < /c, and we lei i = k — c. Figure [5] 
illustrates this tiling for fc = 4, c = 2, and i = 2; note that the upper-left 
and lower-right quadrants have identical structure and that the lower-left and 
upper-right quadrants have no structure other than that of the ideal partition 
and the quadrant boundaries (which are induced by the first bisection operation 
performed) . 



g{k) + 3 2f C^) 



+ 



1 1 



2 2*^+1 



2fc+i 29('=)+i " 
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Figure 5: Illustration for the proof of Thru. 15.81 



Our general approach is the following. The average-case objective PAR with 
respect to the uniform distribution equals 

PAR ^ J_ V- \R'{xi,X2)\ 

where the sum is over all pairs (xi, X2) in the value space; recall that R^{xx,X2) 
is the region in the ideal partition that contains {xi,X2)^ and {xi, X2) is the 
rectangle in the tiling induced by the protocol that contains {xi,X2). We may 
combine all of the terms corresponding to points in the same protocol-induced 
rectangle to obtain 

R R 

where the sums are now over protocol-induced rectangles R (we will simplify 
notation and write R instead of R^), and R^ (R) denotes the ideal region that 
contains the protocol-induced rectangle R. Each ideal region in which bidder 1 
wins is a rectangle of width 1 and height at most 2'^; each ideal region in which 
bidder 2 wins is a rectangle of height 1 and width strictly less than 2*^. For 
a protocol-induced rectangle R, let 2*^ — \R^{R)\. Let a^^i be the total 

number of tiles that appear in the tiling of the k-hit value space induced by 
the Bisection AuCTiONgj^.) with g{k) = c, and let bd ~ ^r3r (with this 
sum being over the protocol-induced tiles in this same partition) . Then we may 
rewrite ([T]) as 

R 

(Note that (HI) holds for general protocols; we now add the subscripts "c, «" to 
indicate the particular PAR we are computing.) We now determine ac.i and 
bc,i- 

Considering the tiling induced by c -I- 1 bisections of a c + z + 1-bit space 
(which has ac+i,i total tiles), the upper-left and lower-right quadrants each 
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contain a^i tiles while the lower-left and upper-right quadrants (as depicted in 
Fig. [5]) each contribute 2^^+* tiles, so Qc+i.i — 2ac,i + 2^^+*+^. When there are no 
bisections, the i-bit value space has ao.; — 2*+^ — 1 tiles, from which we obtain 
ttci = 2'^ (2'(c -f 2) — l). The sum of over protocol-induced rectangles R in 
the upper-left quadrant is hc,i- For a rectangle i? in the lower-right quadrant, 
2r equals 2^^+' plus , where B! is the corresponding rectangle in the upper- 
left quadrant; there are ac,i such i?, so the sum of over protocol-induced 
rectangles R in the upper- left quadrant is &c,i + ac,i2'^^*. Finally, the sum of jij 

over R in the lower-left quadrant equals 2_/?i=o ^ ^"^"^ ^wn\. over R in the 

top-right quadrant equals X)^=i ^- Thus, hc+\.i = 26c,i + ac.i2'^+* + 2^*^"^+'); with 

^0,. = Er=o' + YlZl K we obtain 6^,, = 2^+^-^ ((1 + 2'^) (-1 + 2») + 2'^+'c). 
Rewriting ©, we obtain 

PAR. ^ + 3 2^ 



2c+i+i 2'=+''+! 2^=+! 



Recalling that k = c + i, the proof is complete. □ 
For the protocols corresponding to values of g{k) ranging from to fc (ranging 
from the ascending-price English auction to the Bisection Auction), we may 
thus relate the amount of communication saved (relative to the English auction) 
to the effect of this on the PAR. 

Corollary 5.9 Let g be a function that maps non-negative integers to non- 
negative integers. Then the average-case objective PAR with respect to the uni- 
form distribution for the Bisection AuCTlONg(fe) is bounded if g is bounded and 
is unbounded if g is unbounded. We then have that the Bisection AuCTiONg^^) 
may require the exchange of Q{k -\- 2^^^^^^^) bits, and it has an average-case ob- 
jective FAR of <d{l+ g{k)). 

Remark 5.10 Some of the sequences that appear in the proof above also ap- 
pear in other settings. For example, the sequences {ao,i}i, {ai.iji, and {a2^i}i 
are slightly shifted versions of sequences A000225, A033484, and A028399, re- 
spectively, in the OEIS j21jj . which notes other combinatorial interpretations of 
them. 



5.4.1 Subjective privacy for bounded-bisection auctions 

Theorem 5.11 (The average-case PAR v^r.r.t. 1 of the bounded-bi- 
section auction) The average-case PAR with respect to 1 of the Bisection 
AuCTIONg(fc) is 

g(fc) + 5 1 1 g{k)-2 

with respect to the uniform distribution. 
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Proof: The approach is similar to that in the proof of Thm. 15.81 We start by 
speciahzing ^ to the present case. 

Each ideal region in which bidder 1 wins is a rectangle of size 1; each ideal 
region in which bidder 2 wins is a rectangle of height 1 and width strictly less 
than 2*^. For a protocol- induced rectangle R, let Jr = 2^^ — \R^ {R)\. Let c = g{k) 
and let i = /c-c > 0. Let T^^ be the refinement of the 2ND-PRiCE-AuCTlONfc 1- 
partition of the /c-bit value space induced by the Bisection- AuCTiONg(fc) . Let 
Xc^i be the number of rectangles in T^^ in which bidder 2 (the column player) 
wins, and let yc,i be the sum, over all rectangles R in which bidder 2 wins, of 
the quantity 2'^"'"* — Let Zc,i be the number of rectangles R in which 

bidder 1 (the row player) wins. 

Using PARJ j to denote the PAR w.r.t. bidder 1 in this case (c bisections and 
i — k ~ c), we may rewrite ([T]) as 



1 



1 

22(c+i) 



in which / \ in which 

^ 1 wins / ^ 2 wins 

[{zc.i) + (2"+*a;c.^ - yc,^)] ■ 



We now turn to the computation of Xc,i, yc,i, and Zc^i- 

Following the same approach as in the proof of Thm. 15.81 we have Xc+i.i = 

2xc^, + 2^+\ 2/e+i.,: = 2y,,, + E ■=! j + 2^+'xc,^. and = 2z,,, + 22(=+'). With 

2^0, i = 2* - 1, 2/o.i = h and zq.j = I]j=i h we obtain 

a;c,z = 2"-i (2V + 2*+i -2) , 

J/,;,, = 2'=+*-^ (2=+'c + 2"+* + 2* - 2'=+! + c) , and 

-^c,^ = 2'=+*-i(2=+' + l). 

Using these in our expression for PARJ j, we obtain 

r,.r,l c-f5 2-c 1 1 

Recalling that k = c + i and g{k) = c completes the proof. □ 

Theorem 5.12 (The average-case PAR w.r.t. 2 of the bounded-bi- 
section auction) The average-case PAR with respect to 1 of the Bisection 
AuCTIONg(fc) is 

g(fc) + 5 1 9{k) 

4 29('=)+2 2*^+2 

with respect to the uniform distribution. 

Proof: The approach is essentially the same as in the proof of Thm. 15. Hi 
although the induced partition differs slightly. 
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Let c = g{k) and let i = fc — c > 0. Let T^^ be the refinement of the 2nd- 
PRiCE-AuCTlONfc 2- partition of the fc-bit value space induced by the Bisection- 
AuCTiONg(^.). Let Uc^i be the number of rectangles in T^^ in which bidder 1 (the 
row player) wins, and let Vd be the sum, over all rectangles R in which bidder 
1 wins, of the quantity 2^^+* — \R^{R)\. Let Wc,i be the number of rectangles R 
in which bidder 2 (the column player) wins. Using PAR^ ^ to denote the PAR 
w.r.t. bidder 2 in this case (c bisections and i = fc — c), we may rewrite ([T]) as 

PARc.^ = [{2'+W^ - Vc.) + (u^c..)] . 

Mirroring the approach of the proof of Thm. 15.111 we have Uc+ia = 2uc,i + 
2^+\ i;e+i,, = 2we,. + 2=+'-i(2^+^ - 1) + 2'+'uc,^, and Wc,^ = 2'+'-\2^+' -I). 
With uo,! = 2* and wo,i = 2*^^(2* - 1), we obtain 

Uc, - 2^+*-i(c + 2), 

Vc,^ = 2=+*-2(2"+'(c+l) + 2*-c-2), and 
= 2^+^-1(2^+* - 1). 

Using these in our expression for PAR^ j, we obtain 

r^. c + 5 1 c 

PAR? , = — 



2C+2 ' 2c+''+2 ■ 

Recalling that k — c + i and g{k) = c completes the proof. □ 

Because g{k) > 0, the average-case PAR with respect to 2 is at least as large 
as the average-case PAR with respect to 1; this gives the average-case subjective 
PAR of the Bisection AuCTiONg(fe) as follows. 

Corollary 5.13 (Average-case subjective PAR of the bounded-bisection 
auction) The average-case subjective PAR of the Bisection AuCTiONg(fc) is 

g{k) + 5 1 , g{k) 



4 23^+^ 2'=+2 

with respect to the uniform distribution. 

Finally, Table [2] summarizes the average-case PAR results (with respect to 
the uniform distribution) for 2nd-Price AuCTiONfe. 



6 Discussion and Future Directions 

6.1 Other Notions of Approximate Privacy 

By our definitions, the worst-case/average-case PARs of a protocol are deter- 
mined by the worst-case/expected value of the expression j^f^j, where i?^(x) 
is the monochromatic rectangle induced by P for input x, and i?^(x) is the 
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Avg.-Case Obj. PAR 


Avg.-Case Subj. PAR 


English Auction 


1 


1 


Bisection AucTiONg(fc) 


a(k)+3 29(''' , 
2 2*=+!"'" 
1 1 

2fc+i + 1 


g(k)+5 1 

4 29<'=) + 2^ 
2fc + 2 


Bisection Auction 


- + 1 
2 ' ^ 


fe+5 1 k-1 
4 ^ 2'^ 


Scaled-Bid Auction 


2"+' , 1 


^ + 1-^ 
3 ^ a.?* 



Table 2: Average-case PARs (with respect to the uniform distribution) for 2nd- 
Price Auction^ 

monochromatic region containing A{f)x in the ideal monochromatic partition 
of A{f). That is, informally, we are interested in the ratio of the size of the ideal 
monochromatic region for a specific pair of inputs to the size of the monochro- 
matic rectangle induced by the protocol for that pair. More generally, we can 
define worst-case/average-case PARs with respect to a function g by considering 
the ratio g(f;p (x) x) • definitions of PARs set g{R, x) to be the cardinality of 
R. This captures the intuitive notion of the indistinguishability of inputs that 
is natural to consider in the context of privacy preservation. Other definitions 
of PARs may be appropriate in analyzing other notions of privacy. We suggest 
a few here; further investigation of these and other definitions provides many 
interesting avenues for future work. 

Probability mass. Given a probability distribution D over the parties' 
inputs, a seemingly natural choice of g is the probability mass. That is, for 
any region R, g{R) = Pro{R), the probability (according to D) that the input 
corresponds to an entry in R. However, a simple example illustrates that this 
intuitive choice of g is problematic: Consider a problem for which {0, . . . , n} x 
{«} is a maximal monochromatic region for 0<j<n — las illustrated in 
the left part of Fig. [51 Let P be the communication protocol consisting of 
a single round in which party 1 reveals whether or not his value is 0; this 
induces the monochromatic tiling with tiles {(0, i)} and {(1, j), . . . , (n, j)} for 
each i as illustrated in the right part of Fig. |6l Now, let Di and D2 be the 
probability distributions over the inputs x = [xi, X2) such that, for < i < n — 1 
and 1 < j < n, PrDA{xi,X2) = (0,i)] = ^, PrcJ(a;i, 2:2) = (j, «)] = 
PrD2[{.Xi.,X2) = (0,i)] = and Pr^i^ [(a;i, 2:2) = (j, «)] = for some smaU 
e > 0. Intuitively, any reasonable definition of PAR should imply that, for Z^i, 
P provides "bad" privacy guarantees (because w.h.p. it reveals the value of xi), 
and, for Z?2, P provides "good" privacy (because w.h.p. it reveals little about 
xi). In sharp contrast, choosing g to be the probability mass results in the same 
average-case PAR in both cases. 

Other additive functions. In our definition of PAR and in the probability- 
mass approach, each input x in a rectangle contributes to g{R,x) in a way 
that is independent of the other inputs in R. Below, we discuss some natu- 
ral approaches that violate this condition, but we start by noting that other 
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U 1 



11-1 U 1 


1 



n-l 



Figure 6: Maximal monochromatic regions (left) and protocol-indnccd rectangles 
(right) for an example showing the deficiencies of PAR definitions based on probability 
mass. 



functions that satisfy this condition may be of interest. For example, taking 
g{R,x) = 1 + X^yg/j\x '^(■''■' y)' whore d is some distance defined on the input 
space, gives our original definition of PAR when d{x, y) = 1 — Jx,y and might 
capture other interesting definitions (in which indistinguishable inputs that are 
farther away from x contribute more to the privacy for x). (The addition of 
1 ensures that the ratio g{R^ ,x)/g{R^ ,-x.) is defined, but that can be accom- 
plished in other ways if needed.) Importantly, here and below, the notion of 
distance that is used might not be a Euclidean metric on the n-player input 
space [0, 2*^ — !]"■. It could instead (and likely would) focus on the problem- 
specific interpretation of the input space. Of course, there are may possible 
variations on this {e.g., also accounting for the probability mass). 

Maximum distance. We might take the view that a protocol does not 
reveal much about an input x if there is another input that is "very different" 
from X that the protocol cannot distinguish from x (even if the total number of 
things that are indistinguishable from x under the protocol is relatively small). 
For some distance d on the input space, we might than take g to be something 
like 1 + maxygfl\{x} d{y, x). 

Plausible deniability. One drawback to the maximum-distance approach 
is that it does not account for the probability associated with inputs that are 
far from x (according to a distance d) and that are indistinguishable from x 
under the protocol. While there might be an input y that is far away from 
X and indistinguishable from x, the probability of y might be so small that 
the observer feels comfortable assuming that y does not occur. A more re- 
alistic approach might be one of "plausible deniability." This makes use of a 
plausibility threshold — intuitively, the minimum probability that the "far away" 
inputs(s) (which is/are indistinguishable from x) must be assigned in order to 
"distract" the observer from the true input x. This threshold might correspond 
to, e.g., "reasonable doubt" or other levels of certainty. We then consider how 
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far we can move away from x while still having "enough" mass (i.e., more 
than the plausibility threshold) associated with the elements indistinguishable 
from X that are still farther away. We could then take g to be something like 
1 + ma.x{do\PrD{{y £ R\d{y,x.) > do})/PrD{R) > t}; other variations might 
focus on mass that is concentrated in a particular direction from x. (In quantify- 
ing privacy, we would expect to only consider those R with positive probability, 
in which case dividing by ProiR) would not be problematic.) Here we use 
ProiR) to normalize the weight that is far away from x before comparing it 
to the threshold t; intuitively, an observer would know that the value is in the 
same region as x, and so this seems to make the most sense. 

Relative rectangle size. One observation is that a bidder likely has a 
very different view of an auctioneer's being able to tell (when some particular 
protocol is used) whether his bid lies between 995 and 1005 than he does of 
the auctioneer's being able to tell whether his bid lies between 5 and 15. In 
each case, however, the bids in the relevant range are indistinguishable under 
the protocol from 11 possible bids. In particular, the privacy gained from an 
input's being distinguishable from a fixed number of other inputs may (or may 
not) depend on the context of the problem and the intended interpretation of the 
values in the input space. This might lead to a choice of g such as diamd{R) 
where diarrid is the diameter of R with respect to some distance d and |x| is 
some (problem-specific) measure of the size of x {e.g., bid value in an auction). 
Numerous variations on this are natural and may be worth investigating. 

Information-theoretic approaches. Information-theoretic approaches 
using conditional entropy are also natural to consider when studying privacy, 
and these have been used in various settings. Most relevantly. Bar- Yehuda et 
al. [2j defined multiple measures based on the conditional mutual information 
about one player's value (viewed as a random variable) revealed by the protocol 
trace and knowledge of the other player's value. It would also be natural to study 
objective-PAR versions using the entropy of the random variable corresponding 
to the (multi-player) input conditioned only on the protocol output (and not 
the input of any player). Such approaches might facilitate the comparison of 
privacy between different problems. 

6.2 Open Questions 

There are many interesting directions for future research: 

• As discussed in the previous subsection, the definition and exploration of 
other notions of PARs is a challenging and intriguing direction for future 
work. 

• We have shown that, for both The Millionaires PROBLEMfc and 2nd- 
Price Auction^;, reasonable average-case PARs with respect to the uni- 
form distribution are achievable. We conjecture that our upper bounds 
for these problems extend to all possible distributions over inputs. 
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• An interesting open question is proving lower bounds on the average-case 
PARs for The Millionaires Problem^ and 2nd-Price Auction^. 

• It would be interesting to apply the PAR framework presented in this 
paper to other functions. 

• The extension of our PAR framework to the n-party communication model 
is a challenging direction for future research. 

• Starting from the same place that we did, namely IH1[IZ]> Bar- Yehuda et 
al. [2] provided three definitions of approximate privacy. The one that 
seems most relevant to the study of privacy-approximation ratios is their 
notion of h-privacy. It would be interesting to know exactly when and 
how it is possible to express PARs in terms of /i-privacy and vice versa. 
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A Relation to the Work of Bar- Yehuda et al. |[2| 

While there are certainly some parallels between the work here and the Bar- 
Yehuda et al. work [2j, there are significant differences in what the two frame- 
works capture. Specifically: 

1. The results in [2] deal with what can be learned by a party who knows 
one of the inputs. By contrast, our notion of objective PAR captures the 
effect of a protocol on privacy with respect to an external observer who 
does not know any of the players private values. 

2. More importantly, the framework of 2 does not address the size of monochro- 
matic regions. As illustrated by the following example, the ability to do 
so is necessary to capture the effects of protocols on interesting aspects of 
privacy that are captured by our definitions of PAR. 

Consider the function / : {0, . . . , 2" - 1} x {0, . . . , 2" - 1} ^ {0, . . . , 2"-2} 
defined by f{x,y) = floor{^) if x < 2"^^ and f{x,y) — 2"^^ otherwise. 
Consider the following two protocols for /: in P, player 1 announces 
his value x if x < 2"^^ and otherwise sends 2"^^ (which indicates that 
f{x,y) = 2"^^); in Q, player 1 announces floor{^) if a; < 2" — 1 and x if 
a; = 2" — 1. Observe that each protocol induces 2"~^ -I- 1 rectangles. 

Intuitively, the effect on privacy of these two protocols is different. For half 
of the inputs, P reduces by a factor of 2 the number of inputs from which 
they are indistinguishable while not affecting the indistinguishability of 
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the other inputs. Q does not affect the indistinguishability of the inputs 
affected by P, but it does reduce the number of inputs indistinguishable 
from a given input with a; > 2"~^ by at least a factor of 2"~^. 

Our notion of PAR is able to capture the different effects on privacy of the 
protocols P and Q. (The average-case objective PARs are constant and 
exponential in n, respectively.) By contrast, the three quantifications of 
privacy from [2| — /c, h, and Ic~i — do not distinguish between these two 
protocols; we now sketch the arguments for this claim. 

For each protocol, any function h for which the protocol is weakly h- 
private must take at least 2"^^ + 1 different values. This bound is tight 
for both P and Q. Thus, Ic cannot distinguish between the effects of P 
and Q on /. 

The number of rectangles induced by P that intersect each row and column 
equals the number induced by Q. Considering the geometric interpretation 
of Ip and Iq, as well as the discussion in Sec. VILA of [5], we see that li 
and Ic-i (applied to protocols) cannot distinguish between the effects of 
P and Q on /. 

B Truthful Public-Good Problem 
B.l Problem 

As in Sec. 14. 3[ the government is considering the construction of a bridge at 
cost c. Each taxpayer has a private value that is the utility he would gain from 
the bridge if it were built, and the government wants to build the bridge if and 
only if the sum of the taxpayers' private values is at least c. Now, in addition to 
determining whether to build the bridge, the government incentivizes truthful 
disclosure of the private values by requiring taxpayer i to pay c — if 
^j^^Xj < c but — c (see, e.g., i20| for a discussion of this type of 

approach). The government should thus learn whether or not to build the bridge 
and how much, if anything, each taxpayer should pay. The formal description 
of the function is as follows; the corresponding ideal partition of the value space 
is shown in Fig. [71 in which regions for which the output is "Build" are just 
labeled with the appropriate value of (ii,t2). 

Definition 21 (Truthful Public Good^ c) 

Input: c, Xi, X2 G {0, . . . , 2*^ — 1} (each represented by a k-bit string) 

Output: "Do Not Build" if Xi+X2 < c; "Build" and (^1,^2) if X1+X2 > c, where 

ti — c~ x-i-i if Xz-i < c and xi + X2 > c, and tt — otherwise. 

B.2 Results 

Proposition B.l (Average-case objective PAR of Truthful Public 
GoODfc^c) The average-case objective PAR of Truthful Public GoODfe^c 
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Figure 7: Ideal partition of the value space for Truthful Public GoODfe^c 
with k = 3 and c — A. 

with respect to the uniform distribution is 

1 

1 + ^(1-^)- 

Proof: We may rewrite Eq. [T] as (adding subscripts for the values of k and c 
in this problem): 

E \R'{Rdnb)\+Y.\R'(Rb)\ , 

■Rom Rb 

where the first sum is taken over rectangles -Rdnb for which the output is "Do 
Not Build" and the second sum is taken over rectangles Rb for which the out- 
put is "Build" together with some (^1,^2)- Using the same argument as for The 
Millionaires Problem^, the first sum must be taken over at least c rectan- 
gles; the ideal region containing these rectangles has size * = c{c+ l)/2. 
Considering the second sum, each of the ideal regions containing a protocol- 
induced rectangle is in fact a rectangle. If the protocol did not further partition 
these rectangles (and it is easy to see that such protocols exist) then the total 
contribution of the second sum is just the total number of inputs for which the 
output is "Do Not Build" together with some pair (^1,^2), i-e., this contribution 
is 4^^ — c(c + l)/2. We may thus rewrite PARfc_c as 

= 1 + ^(1-^) 

□ 

Unsurprisingly, if we take c = 2'"' — 1 (as in Public GoODfc in Sec. 14. 3p . we 
obtain PARj. 2fc_i — 2^^^ ~ 5 + which is essentially half of the average-case 
PAR for The Millionaires PROBLEMfc. 



PARfc,c = 



22fe 



c— + 4" 
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